US11523261B2 - Handling of subscription profiles for a set of wireless devices - Google Patents
Handling of subscription profiles for a set of wireless devices Download PDFInfo
- Publication number
- US11523261B2 US11523261B2 US17/267,552 US201817267552A US11523261B2 US 11523261 B2 US11523261 B2 US 11523261B2 US 201817267552 A US201817267552 A US 201817267552A US 11523261 B2 US11523261 B2 US 11523261B2
- Authority
- US
- United States
- Prior art keywords
- profile
- wireless devices
- identifier
- handling
- wireless device
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/60—Subscription-based services using application servers or record carriers, e.g. SIM application toolkits
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/50—Service provisioning or reconfiguring
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/70—Services for machine-to-machine communication [M2M] or machine type communication [MTC]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W8/00—Network data management
- H04W8/18—Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
Definitions
- Embodiments presented herein relate to methods, devices, computer programs, and a computer program product for handling subscription profiles for a set of wireless devices.
- communications networks there may be a challenge to obtain good performance and capacity for a given communications protocol, its parameters and the physical environment in which the communications network is deployed.
- one parameter in providing good performance and capacity for a given communications protocol in a communications network is security.
- proper security mechanisms are needed to prevent misuse of connected devices.
- DDoS distributed denial of service
- IP Internet Protocol
- routers digital video recorders running the Internet Protocol, and so on.
- Connected devices may also be entrusted with valuable, sensitive, or private data that needs to be protected from unauthorized access.
- Identity management is a central part of security and device life-cycle management.
- a connected device generally needs an identity to be able to identify and authenticate itself to its counterparts in the network in order to establish secure communication to other connected devices or services. This is needed at the connectivity layer when connecting to a network and at the application layer when connecting to a service of the network.
- Secure communication protects sensor data, or control data for actuators, but is also needed for provisioning of identities to the connected device and for secure configuration of the connected device, including secure firmware update.
- Identities are also the base for an access control mechanism controlling who can access resources of a connected device, including who can provision additional identities to the connected device.
- FIG. 1 A simplified block diagram of a communications network too is illustrated in FIG. 1 .
- Each of N connected wireless devices 500 a , 500 b , . . . , 500 N is provided network access by a network node 110 , such as a network gateway (GW), an access point (AP), or a radio base station (RBS) of a connectivity provider network 120 .
- the connectivity provider network may offer network access using WiFi, or cellular telecommunications systems such as fourth generation wireless system supporting the Long Term Evolution (LTE) standard and/or a fifth generation wireless system.
- LTE Long Term Evolution
- the connectivity provider network 120 further comprises an authentication server 180 I, 180 E, which could be an authentication, authorization, and accounting (AAA) server, an Authentication Server Function (AUSF) server, or a Mobility Management Entity (MME). Subscriber information for connectivity may be stored in the authentication server 180 I, 180 E or may be stored in a separate network entity, which could be a home subscriber server (HSS) 140 , a Unified Data Management (UDM) server, and/or an Authentication credential Repository and Processing Function (ARPF) server, and which separate network entity also provides authentication material for use by the authentication server 180 I, 180 E.
- HSS home subscriber server
- UDM Unified Data Management
- ARPF Authentication credential Repository and Processing Function
- the connectivity provider may use an authentication service provided by another vendor.
- the authentication server (such as authentication server 180 E) may be located outside of the connectivity provider network 120 .
- the connectivity provider network 120 might then be configured to attach to the authentication server 180 E outside the connectivity provider network 120 either directly from the network node 110 or via its own (internal) authentication server 180 I.
- the connectivity provider may rely on an external authentication service provided by another vendor.
- the connectivity provider network 120 in turn is operatively connected to a service network 150 , such as the Internet, possibly comprising at least one communication device 190 that could be a data server (DS).
- the service network 150 is further operatively connected to an enterprise network 160 .
- the enterprise network 160 comprises a management server (MS) 170 and possibly at least one communication device 190 that could be a DS.
- MS management server
- the wireless device 500 a , 500 b , . . . , 500 N could belong to the enterprise of the enterprise network 160 and be configured to provide sensor data (or other type of data) to one or more of the communication devices 190 located either in the enterprise network 160 or in the service network 150 .
- the enterprise manages the wireless device 500 a , 500 b , . . . , 500 N through the management server 170 .
- Management comprises providing identities and credentials to the wireless device 500 a , 500 b , . . . , 500 N and the communication device 190 to which the wireless device 500 a , 500 b , . . . , 500 N is communicating with such that secure communication can be established.
- the connectivity provider network 120 may, partly or fully, also be provided by the enterprise.
- the so-called 3GPP identity technology where 3GPP is short for third generation partnership project, is a well-proven identity technology that might be leveraged as identity technology for constrained devices, not only for constrained devices to access cellular networks, but also for other constrained devices to access non-cellular networks such as WiFi.
- the 3GPP Authentication and Key Agreement (AKA) protocol is agnostic to the underlying network and can for example be tunnelled in the Extensible Authentication Protocol (EAP) using the EAP-AKA (and EAP-AKA′).
- EAP is a commonly used authentication and key agreement protocol as part of network attachment, e.g. for WiFi network access.
- EAP-AKA or EAP-AKA′
- EAP-AKA allows existing security infrastructure (e.g. at enterprises) to be used that easily can integrate with the authentication systems (such as HSS) of mobile network operators (MNOs).
- the so-called embedded UICC is a dedicated UICC chip integrated into the device, i.e. it is not removable.
- remote management of the eUICC and the subscriptions stored on it is provided such that users or device owners can change subscriptions for their devices and the new subscription data is provisioned onto the eUICC remotely.
- GSMA GSM Association, where GSM is short for Global System for Mobile communication
- M2M machine-to-machine
- the end-user controls the switch between profiles instead of the operator/remote provisioning server as in the M2M variant.
- iUICC integrated UICC
- CPU central processing unit
- iUICC may alternatively be realized using hardware isolation mechanisms such as ARM TrustZone or Intel SGX.
- the end-user 410 owning and/or using the device may here order a new profile download from an MNO entity 200 .
- the MNO entity 200 acts as a subscription management server and prepares a profile provisioning server, SM-DP+ 300 (short for enhanced Subscription Manager Data Preparation), for the profile download.
- SM-DP+ 300 short for enhanced Subscription Manager Data Preparation
- the end-user 410 triggers the profile download (and switch of profile) via a Local Profile Assistant (LPAd) available in the device via a user interface.
- the LPAd comprises a Local Discovery (LDSd) entity, a Local Profile Download (LPDd) entity, and a Local User Interface (LUId) entity.
- LDSd Local Discovery
- LPDd Local Profile Download
- LId Local User Interface
- the suffix d indicates that the entity is part of the wireless device 500 a .
- An eUICC/iUICC manufacturer (EUM) 460 is the entity that manufactured the eUICC/iUICC.
- the manufacturer of an iUICC is typically the device manufacturer.
- the Certificate Issuer (CI) 450 is the issuer of certificates used in profile download and other operations. Operational interfaces are shown as directional arrows connecting the entities 200 - 500 .
- ES9+ is the interface between SM-DP+ 300 and LPAd/LPDd in the wireless device 500 a
- ES10b is the interface between LPAd/LPDd and the eUICC/iUICC
- ES8+ is the interface between SM-DP+ 300 and the eUICC/iUICC in the wireless device 500 a.
- FIG. 3 is a signalling diagram of profile download to the wireless device 500 a .
- secure communication is established between the eUICC/iUICC and the SM-DP+ 300 as well between the LPAd and the SM-DP+ 300 .
- the use of the GSMA consumer variant for constrained wireless devices 500 a poses problems in that many constrained wireless devices 500 do not have a user interface for communication with the end-user/device owner 410 . Instead the constrained device is managed and configured via a Management Server (MS) using a dedicated management protocol such as LightweightM2M (LwM2M).
- MS Management Server
- LwM2M LightweightM2M
- a wireless device 500 a may by itself not have Internet connectivity (e.g. before first subscription profile download) such that it can connect to the provisioning server SM-DP+ 300 .
- the GSMA RSP consumer variant defines the concept of a companion device and a primary device where a companion device is a communications device that relies on the primary device for connectivity and/or user interface during profile provisioning and local profile management.
- Secure communication for example by means of HTTPS (short for HTTP Secure, where HTTP is short for Hypertext Transfer Protocol), is mandated between the companion device and the primary device for protection of the user interface to trigger profile management operations.
- IoT Internet of Things
- companion device and primary device described above allows the device owner/user to interact with the device (i.e. the LPAd) via the network interface from a central controlling unit, such as a device management server.
- a central controlling unit such as a device management server.
- many constrained IoT devices do not support HTTPS.
- a secure communication using e.g. DTLS could be used between the wireless device 500 a and the management server.
- the functionality for local management of profiles provided by the LPAd is split between a proxy device and the wireless device 500 a .
- LPApr and LPAdv these two parts of the LPAd will hereinafter be referred to as LPApr and LPAdv.
- the LPApr handles the HTTPS sessions with the SM-DP+ 300 (and SM-DS) and handles the interaction with the user/owner of the device
- the LPAdv handles the interaction with the eUICC/iUICC.
- a secure communication protocol might be established between the LPApr and the LPAdv using a protocol stack suitable for the wireless device 500 a.
- the GSMA RSP consumer variant specification defines four different ways for how profile download can be triggered and performed.
- Activation Code When ordering a 3GPP subscription, the device owner/user is provided with an Activation Code (AC) containing an activation code token (also known as matching identifier or matching ID for short) and address of the SM-DP+ 300 to be contacted for the profile download.
- the AC is given to the wireless device 500 (when being an ordinary consumer variant) or to a Management Server (MS) (in the case of LPAd split and the LPApr is part of the MS).
- MS Management Server
- the profile download is started when the AC is obtained (ordinary consumer variant) or next time when the device registers with MS after the AC has been obtained.
- the Matching identifier is provided to the SM-DP+ 300 and allows the SM-DP+ 300 to identify the correct profile download order from the MNO entity 200 .
- Advanced Activation Code When ordering a 3GPP subscription, the device owner/user is provided with an Advanced Activation Code (AAC).
- AAC Advanced Activation Code
- the AAC is provided to the wireless device 500 a (when being an ordinary consumer variant) or to the MS (in case of LPAd split and the LPApr is part of the MS).
- the AAC contains a Uniform Resource Locator (URL) to a web service of the MNO entity 200 from where a signed Activation Code (sometimes referred to as a Command Code) can be obtained.
- a signed Activation Code sometimes referred to as a Command Code
- the LPAd triggers the download of the signed AC using the web service.
- LPApr triggers download of the signed AC when a wireless device 500 a (without profile) registers with the MS.
- the signed AC is bound to the wireless device 500 a (i.e. bound to a specific EID).
- the web service triggers profile download preparation at the SM-DP+ 300 , if not already performed when the profile download order was made.
- the profile download is then started when the signed AC is obtained in the same way as described above.
- SM-DS event As part of ordering and preparing profile download or other profile management operation, an event is registered by the SM-DP+ 300 at an Subscription Manager-Discovery Server (SM-DS) server that a profile management operation (e.g. profile download) is due for a specific wireless device 500 a .
- the eUICC/iUICC identifier (EID) is used to identify the wireless device 500 a linked to the profile management operation, i.e. the identity the wireless device 500 a for which the event is valid.
- the EID must be provided to the MNO entity 200 by the device owner/user at profile ordering.
- the wireless device 500 a periodically checks for events at the SM-DS, whose address is registered in the wireless device 500 a , and upon retrieving such an event profile download is triggered by the LPAd.
- the event identifier (EventID) obtained from the SM-DS is in this case used as Matching identifier to be able to locate the correct profile download order at the SM-DP+ 300 .
- the address of the SM-DP+ 300 is also obtained from the event.
- the LPApr is triggered to look for events at the SM-DS for a particular device when the device (without profile) registers with the MS.
- Default SM-DP+ address This option assumes that a profile download order is available at the SM-DP+ 300 when the wireless device 500 a boots up the first time and that the wireless device 500 a uses a default SM-DP+ address preconfigured in the wireless device 500 a (ordinary consumer variant) to contact the SM-DP+ 300 to download the profile. An empty Matching identifier is used and the EID is instead used to locate the profile at the SM-DP+ 300 . Hence, the EID must be provided to the MNO entity 200 by the device owner/user at profile ordering.
- the EID For profile download based on Activation Code and Advanced Activation Code the EID must not necessarily be available and provided to the MNO entity 200 by the device owner/user at profile download ordering.
- the Matching identifier is in this case enough to identify the profile download order.
- the SM-DS event mechanism could also be used by the MNO entity 200 to trigger Remote Profile Management (RPM) operations, such as update of a profile and profile metadata and enabling, disabling, and deletion of a profile.
- RPM Remote Profile Management
- An object of embodiments herein is to provide efficient handling of subscription profiles for wireless devices, and efficient handling of subscription profiles for a set of wireless devices in particular.
- a method for handling subscription profiles for a set of wireless devices is performed by an MNO entity.
- the method comprises obtaining a single request for handling subscription profiles for the set of wireless devices.
- the method comprises performing, with a profile provisioning server, a preparation procedure for the set of wireless devices wherein a common batch profile handling parameter for the set of wireless devices is created, and whereby the set of wireless devices are associated with at least one matching identifier for tracking actions relating to the handling of the subscription profiles at the MNO entity and the profile provisioning server.
- an MNO entity for handling subscription profiles for a set of wireless devices.
- the MNO entity comprises processing circuitry.
- the processing circuitry is configured to cause the MNO entity to obtain a single request for handling subscription profiles for the set of wireless devices.
- the processing circuitry is configured to cause the MNO entity to perform, with a profile provisioning server, a preparation procedure for the set of wireless devices wherein a common batch profile handling parameter for the set of wireless devices is created, and whereby the set of wireless devices are associated with at least one matching identifier for tracking actions relating to the handling of the subscription profiles at the MNO entity and the profile provisioning server.
- a computer program for handling subscription profiles for a set of wireless devices.
- the computer program comprises computer program code which, when run on processing circuitry of an MNO entity, causes the MNO entity to perform a method according to the first aspect.
- a method for handling subscription profiles for a set of wireless devices is performed by a profile provisioning server.
- the method comprises performing, with an MNO entity, a preparation procedure for the set of wireless devices wherein a common batch profile handling parameter for the set of wireless devices is created, and whereby the set of wireless devices are associated with at least one matching identifier for tracking actions relating to the handling of the subscription profiles at the MNO entity and the profile provisioning server.
- the method comprises performing, with a profile management entity and one of the wireless devices, a procedure for handling the subscription profile of the wireless device, during which procedure the profile provisioning server receives from the wireless device a message comprises the matching identifier as signed by the wireless device.
- a profile provisioning server for handling subscription profiles for a set of wireless devices.
- the profile provisioning server comprises processing circuitry.
- the processing circuitry is configured to cause the profile provisioning server to performing, with an MNO entity, a preparation procedure for the set of wireless devices wherein a common batch profile handling parameter for the set of wireless devices is created, and whereby the set of wireless devices are associated with at least one matching identifier for tracking actions relating to the handling of the subscription profiles at the MNO entity and the profile provisioning server.
- the processing circuitry is configured to cause the profile provisioning server to perform, with a profile management entity and one of the wireless devices, a procedure for handling the subscription profile of the wireless device, during which procedure the profile provisioning server receives from the wireless device a message comprises the matching identifier as signed by the wireless device.
- a computer program for handling subscription profiles for a set of wireless devices.
- the computer program comprises computer program code which, when run on processing circuitry of a profile provisioning server, causes the profile provisioning server to perform a method according to the fourth aspect.
- a seventh aspect there is presented a method for handling subscription profiles for a set of wireless devices.
- the method is performed by a profile management entity.
- the method comprises obtaining a common batch profile handling parameter for the set of wireless devices.
- the method comprises performing, with the profile provisioning server and one of the wireless devices, a procedure for handling the subscription profile of the wireless device, during which procedure the profile management entity provides to the wireless device a message comprises the batch profile handling parameter and/or a matching identifier for tracking actions relating to the handling of the subscription profiles at an MNO entity and the profile provisioning server, where upon receiving the message the wireless device provides to the profile provisioning server a message comprises the matching identifier as signed by the wireless device.
- a profile management entity for handling subscription profiles for a set of wireless devices.
- the profile management entity comprises processing circuitry.
- the processing circuitry is configured to cause the profile management entity to obtain a common batch profile handling parameter for the set of wireless devices.
- the processing circuitry is configured to cause the profile management entity to perform, with the profile provisioning server and one of the wireless devices, a procedure for handling the subscription profile of the wireless device, during which procedure the profile management entity provides to the wireless device a message comprises the batch profile handling parameter and/or a matching identifier for tracking actions relating to the handling of the subscription profiles at an MNO entity and the profile provisioning server, where upon receiving the message the wireless device provides to the profile provisioning server a message comprises the matching identifier as signed by the wireless device.
- a ninth aspect there is presented a computer program for handling subscription profiles for a set of wireless devices.
- the computer program comprises computer program code which, when run on processing circuitry of a profile management entity, causes the profile management entity to perform a method according to the seventh aspect.
- a method for a handling subscription profile for a wireless device is performed by the wireless device.
- the method comprises performing, with a profile management entity and a profile provisioning server, a procedure for handling the subscription profile of the wireless device, during which procedure the wireless device obtains from the profile management entity a message comprises a batch profile handling parameter and/or a matching identifier, wherein the batch profile handling parameter is common for a set of wireless devices to which the wireless device belongs, and wherein the set of wireless devices are associated with at least one matching identifier for tracking actions relating to the handling of the subscription profiles at an MNO entity and the profile provisioning server, and where upon receiving the message the wireless device provides to the profile provisioning server a message comprises the matching identifier as signed by the wireless device.
- a wireless device for handling a subscription profile for a wireless device.
- the wireless device comprises processing circuitry.
- the processing circuitry is configured to cause the wireless device to perform, with a profile management entity and a profile provisioning server, a procedure for handling the subscription profile of the wireless device, during which procedure the wireless device obtains from the profile management entity a message comprises a batch profile handling parameter and/or a matching identifier, wherein the batch profile handling parameter is common for a set of wireless devices to which the wireless device belongs, and wherein the set of wireless devices are associated with at least one matching identifier for tracking actions relating to the handling of the subscription profiles at an MNO entity and the profile provisioning server, and where upon receiving the message the wireless device provides to the profile provisioning server a message comprises the matching identifier as signed by the wireless device.
- a computer program for handling a subscription profile for a wireless device comprises computer program code which, when run on processing circuitry of a wireless device, causes the wireless device to perform a method according to the tenth aspect.
- a computer program product comprises a computer program according to at least one of the third aspect, the sixth aspect, the ninth aspect, and the twelfth aspect and a computer readable storage medium on which the computer program is stored.
- the computer readable storage medium can be a non-transitory computer readable storage medium.
- these MNO entities, these profile provisioning servers, these profile management entities, these wireless devices, and these computer programs provide efficient handling of subscription profiles for a set of wireless devices.
- these MNO entities, these profile provisioning servers, these profile management entities, these wireless devices, and these computer programs enable simple and efficient procedures for profile download and RPM operations for an enterprise with a set of wireless devices.
- these methods allow profile download ordering to be carried out even before the individual identities of the wireless devices are available.
- FIG. 1 is a schematic diagram illustrating a communication network according to embodiments
- FIG. 2 is a schematic illustration of an architecture for connectivity management
- FIG. 3 is a signalling diagram
- FIGS. 4 , 5 , 10 , and 11 are signalling diagrams according to embodiments
- FIGS. 6 , 7 , 8 , and 9 are flowcharts of methods according to embodiments.
- FIG. 12 is a schematic diagram showing functional units of an MNO entity according to an embodiment
- FIG. 13 is a schematic diagram showing functional modules of an MNO entity according to an embodiment
- FIG. 14 is a schematic diagram showing functional units of a profile provisioning server according to an embodiment
- FIG. 15 is a schematic diagram showing functional modules of a profile provisioning server according to an embodiment
- FIG. 16 is a schematic diagram showing functional units of a profile management entity according to an embodiment
- FIG. 17 is a schematic diagram showing functional modules of a profile management entity according to an embodiment.
- FIG. 18 is a schematic diagram showing functional units of a wireless device according to an embodiment
- FIG. 19 is a schematic diagram showing functional modules of a wireless device according to an embodiment.
- FIG. 20 shows one example of a computer program product comprising computer readable means according to an embodiment.
- an enterprise with hundreds, or even thousands, of wireless devices 500 a is, by means of a single batch order, enabled to order 3GPP profiles for the wireless devices 500 a , 500 b , . . . , 500 N from an MNO entity 200 .
- the MNO entity 200 and a profile provisioning server 300 are therefore configured to support handling of a batch of profiles.
- the profile provisioning server 300 is represented by the SM-DP+.
- FIG. 4 illustrating profile ordering and download for a set of wireless devices 500 a , 500 b , . . . , 500 N.
- the enterprise contacts a connectivity and/or identity provider in the form of an MNO entity 200 in order to place an order where 3GPP identities are requested and subscriptions are ordered for a set of wireless devices 500 a , 500 b , . . . , 500 N (message: “Order new profiles for batch of devices”).
- the MNO entity 200 typically is reachable by the enterprise by means of a web-portal where the enterprise can register orders and provide payment information, subscription billing information, etc.
- a single batch order is made for the set of wireless devices 500 a , 500 b , . . . , 500 N.
- the enterprise provides information about the set of wireless devices 500 a , 500 b , . . .
- this information may specify that the set of wireless devices 500 a , 500 b , . . . , 500 N are constrained IoT devices equipped with an NB-IoT modem and only supports minimal profiles for IoT containing only USIM (UMTS Subscriber Identify Module, where UMTS is short for Universal Mobile Telecommunications System) application information relevant for NB-IoT, etc.
- the order may be placed prior to the wireless devices 500 a , 500 b , . . . , 500 N have arrived at the enterprise and thus no device identity information might yet be available when the order is placed.
- the MNO entity 200 Upon receiving the order, the MNO entity 200 interacts with the SM-DP+ 300 to prepare the profile download (procedure: “Download preparation for batch of devices”).
- the SM-DP+ 300 may have the same owner as the MNO entity 200 or the owner of the MNO entity 200 might license profile download service from a third party.
- the SM-DP+ 300 prepares protected profile packages based on input (such as type of profile, IMSI range, integrated circuit card identifier (ICCID) range) from the MNO entity 200 .
- the MNO 200 may also provide identity information of the wireless devices 500 a , 500 b , . . . , 500 N, if available.
- the eUICC/iUICC identifier can, if available, be used as device identifier.
- the MNO entity 200 and the SM-DP+ 300 also agree on identifier(s), called Matching identifier(s), that is/are used to track the profile download order at both entities.
- the MNO entity 200 also obtains IMSI and subscription key pairs for each wireless device 500 a , 500 b , . . . , 500 N.
- IMSI and subscription key pairs stored (such as in the Home Subscriber Server (HSS), Home Location Register (HLR), or authentication center (AuC)) such that network access authentication can be performed once the profile is downloaded.
- HSS Home Subscriber Server
- HLR Home Location Register
- AuC authentication center
- the MNO entity 200 prepares information to the enterprise needed for the profile download.
- This may be an Activation Code (AC) and/or batch identifier depending on how the profile download is triggered.
- the Activation Code (AC) and batch identifier (BID) is sensitive data and should not be sent as plain text between the entities.
- the enterprise may also receive a Confirmation Code.
- the Confirmation Code serves as a secret that needs to be presented to the SM-DP+ 300 at each profile download. The use of the Confirmation Code to prevent unauthorized profile download is further described below. If the profile download is triggered using an SM-DS event then the SM-DP+ 300 contacts the SM-DS to register such an event (procedure: “Event registration OPTIONAL”). Further details of the download preparation phase will be described below.
- the wireless devices 500 a , 500 b , . . . , 500 N are installed and booted up for the first time they bootstrap and register with a profile management entity 400 , such as a Management Server (MS), selected by the enterprise (procedure: “Device first boots up, bootstrap to MS/Proxy”).
- a profile management entity 400 such as a Management Server (MS), selected by the enterprise (procedure: “Device first boots up, bootstrap to MS/Proxy”).
- MS Management Server
- a state-of-the-art bootstrap mechanism can be used and is thus not described further herein.
- the wireless devices 500 a , 500 b , . . . , 500 N register one by one at the profile management entity 400 and profile download is then triggered (one by one) for the wireless devices 500 a , 500 b , . . . , 500 N (message: Register).
- Each wireless device 500 a , 500 b , . . . , 500 N performs a profile download process with the SM-DP+ 300 to download the 3GPP profile (procedure: “Profile download” and messages “Profile installed (info)” and “Enable profile”). This process depends on whether an Activation Code is used to trigger profile download or if the SM-DS event mechanism is used to trigger profile download. It also depends on if the LPAd is split up and a proxy is used for profile download or if the wireless device 500 a , 500 b , . . . , 500 N itself is configured with the functionality of the full LPAd. As part of profile download, detailed information, such as IMEI and EID, becomes known to the SM-DP+ 300 and may be provided further to the MNO entity 200 if not already available at the MNO entity 200 .
- the SM-DS event mechanism is used for triggering profile download.
- an event valid for the complete set of wireless devices 500 a , 500 b , . . . , 500 N is bound to a common batch identifier (e.g. formatted as an EID value).
- the download preparation part of the profile ordering between the MNO entity 200 and SM-DP+ 300 is extended to handle a batch order using the common batch identifier and a common Matching identifier and the SM-DP+ 300 profile download behavior is extended to support the use of a common Matching identifier valid for several profile downloads (of wireless devices 500 a , 500 b , . . . , 500 N in the same set).
- the batch identifier is selected by the MNO entity 200 and provided to the SM-DP+ 300 and the enterprise.
- the batch identifier could be the identifier used by the enterprise to reference the batch order made at the MNO entity 200 .
- the enterprise makes the batch identifier available to the LPApr for use when checking for SM-DS events.
- the enterprise makes the batch identifier available for download from a server (e.g. device management server) whose address is configured in the wireless devices 500 a , 500 b , . . . , 500 N or obtained during bootstrap of the wireless devices 500 a , 500 b , . . . , 500 N.
- a server e.g. device management server
- a common Activation Code (AC) for the complete set of devices is used for triggering profile download.
- the AC is obtained by the enterprise from the MNO entity 200 and provided to the LPApr, or put on a server for download to the LPAd, depending on the type of wireless devices 500 a , 500 b , . . . , 500 N as described above.
- the download preparation part of the profile ordering between the MNO entity 200 and SM-DP+ 300 is extended to handle a batch order using a common Matching identifier and the SM-DP+ 300 profile download behavior is extended to support the use of a common Matching identifier valid for several profile downloads (of wireless devices 500 a , 500 b , . . .
- each wireless device 500 a , 500 b , . . . , 500 N in the set uses a different Matching identifier from a given range.
- the download preparation between the MNO entity 200 and SM-DP+ 300 is then extended to handle a batch order using a range of Matching identifiers and the AC format is extended to support a range of Matching identifiers such that a common AC can be used.
- a Confirmation Code can be used to increase protection and to prevent any other device getting hold of the Matching identifier(s) valid for the set of wireless devices 500 a , 500 b , . . . , 500 N to perform an unauthorized profile download.
- the confirmation code might be made available to the LPApr or could be obtained from a server along with the access code and/or batch identifier.
- the enterprise might, by means of one single batch order, order RPM operations for its wireless devices 500 a , 500 b , . . . , 500 N from an MNO entity 200 (message: “Order RPM operation (batch identifier)”). Such an RPM operation may be to disable an enabled profile for all the wireless devices 500 a , 500 b , . . . , 500 N in the set.
- the enterprise is then typically using the same web portal as for subscription ordering and entering the batch identifier that it obtained at subscription ordering
- the MNO entity 200 itself might order/trigger RPM operations for a set of wireless devices 500 a , 500 b , . . . , 500 N based on needed profile updates.
- the MNO entity 200 may be allowed to update the profiles in the wireless devices 500 a , 500 b , . . . , 500 N and update their metadata.
- an RPM preparation phase is conducted between the MNO entity 200 and the SM-DP+ 300 (procedure: “RPM preparation for batch of devices”).
- the communication between the MNO entity 200 and the SM-DP+ 300 then supports ordering of RPM operations for a set of wireless devices 500 a , 500 b , . . .
- the handling of RPM operations for the set of wireless devices 500 a , 500 b , . . . , 500 N is roughly the same as the profile ordering and download for the set of wireless devices 500 a , 500 b , . . . , 500 N except that when handling of RPM operations the MNO entity 200 has access to the EID values of the wireless devices 500 a , 500 b , . . . , 500 N in the set and provides them and associated ICCID values to the SM-DP+ 300 . This might be necessary to locate the correct RPM package (bound to an ICCID) for a particular one of the wireless device 500 a , 500 b , . . . , 500 N (having a specific EID).
- an AC may be returned to the enterprise by the MNO entity 200 (messages: “[Activation code]” and “RPM operation initiation [Activation Code]”).
- the SM-DS event mechanism can be used to trigger RPM operations (procedure: “Event registration (OPTIONAL)”). In this latter case the SM-DP+ 300 contacts the SM-DS to register such an event.
- the wireless devices 500 a , 500 b , . . . , 500 N register one by one at the profile management entity 400 and download of an RPM package is then triggered (one by one) for the wireless devices 500 a , 500 b , . . . , 500 N (message: Register).
- Each wireless device 500 a , 500 b , . . . , 500 N performs a download process with the SM-DP+ 300 to download the RPM package (procedure: “download RPM package and perform operation(s)” and message “Notification”). This process depends on whether an Activation Code or if the SM-DS event mechanism is used to trigger download of the RPM package.
- FIG. 6 illustrating a method for handling subscription profiles for a set of wireless devices 500 a , 500 b , . . . , 500 N as performed by the MNO entity 200 according to an embodiment.
- the MNO entity 200 obtains a single request for handling subscription profiles for the set of wireless devices 500 a , 500 b , . . . , 500 N.
- the MNO entity 200 performs, with the profile provisioning server 300 , a preparation procedure for the set of wireless devices 500 a , 500 b , . . . , 500 N.
- a common batch profile handling parameter for the set of wireless devices 500 a , 500 b , . . . , 500 N is created during the preparation procedure.
- the set of wireless devices 500 a , 500 b , . . . , 500 N are associated with at least one matching identifier.
- the at least one matching identifier enables actions relating to the handling of the subscription profiles at the MNO entity 200 and the profile provisioning server 300 to be tracked.
- These common functions/operations enable the use of profile download and RPM operations with a common BID and/or a common Activation Code.
- Embodiments relating to further details of handling subscription profiles for a set of wireless devices 500 a , 500 b , . . . , 500 N as performed by the MNO entity 200 will now be disclosed.
- the handling pertains to subscription download to the set of wireless devices 500 a , 500 b , . . . , 500 N, and the MNO entity 200 as part of performing the preparation procedure orders subscription profiles for the set of wireless devices 500 a , 500 b , . . . , 500 N from the profile provisioning server 300 .
- the handling pertains to remote profile management of the set of wireless devices 500 a , 500 b , . . . , 500 N, and the MNO entity 200 as part of performing the preparation procedure orders one or more remote profile management operations for the set of wireless devices 500 a , 500 b , . . . , 500 N from the profile provisioning server 300 .
- the MNO entity 200 when the set of wireless devices 500 a , 500 b , . . . , 500 N are bound to a common batch profile handling parameter (such as BID or AC), the MNO entity 200 as part of performing the preparation procedure (when the handling pertains to remote profile management of the set of wireless devices 500 a , 500 b , . . . , 500 N) provides batch profile handling parameter to the profile provisioning server 300 .
- the batch profile handling parameter has been generated in conjunction with a preparation process having been performed for subscription download to the set of wireless devices 500 a , 500 b , . . . , 500 N.
- there is one single matching identifier (such as one Matching identifier) common for all of the wireless devices 500 a , 500 b , . . . , 500 N in the set of wireless devices 500 a , 500 b , . . . , 500 N, or one range of matching identifiers (such as a range of Matching identifiers) for the set of wireless devices 500 a , 500 b , . . . , 500 N.
- one single matching identifier such as one Matching identifier
- one range of matching identifiers such as a range of Matching identifiers
- the at least one matching identifier is generated by either the MNO entity 200 or the profile provisioning server 300 .
- the order for subscription profiles is performed without device identity information of the set of wireless devices 500 a , 500 b , . . . , 500 N being available to the MNO entity 200 and the profile provisioning server 300 .
- the device identity information is obtained by the profile provisioning server 300 from each wireless device 500 a in the set of wireless devices 500 a , 500 b , . . . , 500 N during subscription profile download.
- the device identity information of each wireless device 500 a is included in the message with the matching identifier from the wireless device 500 a to the profile provisioning server 300 .
- Each piece of device identity information is bound to one out of the set of subscription profiles at the profile provisioning server 300 .
- the MNO entity 200 as part of performing the preparation procedure provides device identity information of the set of wireless devices 500 a , 500 b , . . . , 500 N to the profile provisioning server 300 .
- a confirmation code is selected by the MNO entity 200 . Then the MNO entity 200 could be configured to perform optional steps S 104 a , S 104 b:
- the MNO entity 200 selects a common confirmation code for the set of wireless devices 500 a , 500 b , . . . , 500 N.
- the MNO entity 200 securely provides, to the profile provisioning server 300 and towards the profile management entity 400 , the confirmation code.
- Steps S 104 a and S 104 b could be performed as part of step S 104 .
- a BID could be generated by the MNO entity 200 . That is, according to some examples the batch profile handling parameter comprises a batch identifier generated by the MNO entity 200 as part of performing the preparation procedure and the MNO entity 200 provides the batch identifier to the profile provisioning server 300 .
- the SM-DS event mechanism with a common BID can in this case be used both for profile download and RPM operations.
- the MNO entity 200 might generate an Activation Code. That is, according to some examples the batch profile handling parameter comprises an activation code for the set of wireless devices 500 a , 500 b , . . . , 500 N generated by the MNO entity 200 .
- Activation Code option one common Activation Code valid for all wireless devices 500 a , 500 b , . . . , 500 N in the set can thus be used.
- FIG. 7 illustrating a method for handling subscription profiles for a set of wireless devices 500 a , 500 b , . . . , 500 N as performed by the profile provisioning server 300 according to an embodiment.
- the profile provisioning server 300 performs, with the MNO entity 200 , a preparation procedure for the set of wireless devices 500 a , 500 b , . . . , 500 N.
- a common batch profile handling parameter for the set of wireless devices 500 a , 500 b , . . . , 500 N is created during the preparation procedure.
- the set of wireless devices 500 a , 500 b , . . . , 500 N are associated with at least one matching identifier.
- the at least one matching identifier enables actions relating to the handling of the subscription profiles at the MNO entity 200 and the profile provisioning server 300 to be tracked.
- the profile provisioning server 300 performs, with the profile management entity 400 and one of the wireless devices 500 a , 500 b , . . . , 500 N, a procedure for handling the subscription profile of the wireless device 500 a , during which procedure the profile provisioning server 300 receives from the wireless device 500 a a message comprising the matching identifier as signed by the wireless device 500 a.
- Embodiments relating to further details of handling subscription profiles for a set of wireless devices 500 a , 500 b , . . . , 500 N as performed by the profile provisioning server 300 will now be disclosed.
- the handling pertains to subscription download to the set of wireless devices 500 a , 500 b , . . . , 500 N, and the profile provisioning server 300 as part of performing the preparation procedure receives an order for subscription profiles for the set of wireless devices 500 a , 500 b , . . . , 500 N from the MNO entity 200 .
- the handling pertains to remote profile management of the set of wireless devices 500 a , 500 b , . . . , 500 N, and the profile provisioning server 300 as part of performing the preparation procedure receives an order for one or more remote profile management operations for the set of wireless devices 500 a , 500 b , . . . , 500 N from the MNO entity 200 .
- the profile provisioning server 300 when the handling pertains to remote profile management of the set of wireless devices 500 a , 500 b , . . . , 500 N, and when the set of wireless devices 500 a , 500 b , . . . , 500 N are bound to a common batch profile handling parameter, the profile provisioning server 300 , as part of performing the preparation procedure obtains the batch profile handling parameter from the MNO entity 200 .
- the batch profile handling parameter has been generated in conjunction with a preparation process having been performed for subscription download to the set of wireless devices 500 a , 500 b , . . . , 500 N.
- the at least one matching identifier is generated by either the MNO entity 200 or the profile provisioning server 300 .
- the order for subscription profiles is performed without device identity information of the set of wireless devices 500 a , 500 b , . . . , 500 N being available to the MNO entity 200 and the profile provisioning server 300 .
- the device identity information is obtained by the profile provisioning server 300 from each wireless device 500 a in the set of wireless devices 500 a , 500 b , . . . , 500 N during subscription profile download.
- the device identity information of each wireless device 500 a is included in the message with the matching identifier from the wireless device 500 a to the profile provisioning server 300 .
- Each piece of device identity information is bound to one out of the set of subscription profiles at the profile provisioning server 300 .
- the profile provisioning server 300 as part of performing the preparation procedure obtains device identity information of the set of wireless devices 500 a , 500 b , . . . , 500 N from the MNO entity 200 .
- the profile provisioning server 300 in step S 206 , receives the message comprising the matching identifier from the wireless device 500 a via the profile management entity 400 .
- the profile provisioning server 300 as part of performing the preparation procedure prepares protected profile packages for the set of wireless devices 500 a , 500 b , . . . , 500 N.
- a confirmation code is selected by the MNO entity 200 .
- the profile provisioning server 300 could then be configured to perform (optional) step S 202 a:
- the profile provisioning server 300 securely obtains, from the MNO entity 200 , a common confirmation code for the set of wireless devices 500 a , 500 b , . . . , 500 N.
- Step S 202 a could be performed as part of step S 202 .
- the handling pertains to subscription download to the set of wireless devices 500 a , 500 b , . . . , 500 N
- the message received from the wireless device 500 a as part of the procedure for handling the subscription profile of the wireless device 500 a comprises the device identifier linked to the common matching identifier through the signature on the common matching identifier by the wireless device 500 a .
- the profile provisioning server 300 could then, upon successful verification of the signature, be configured to perform (optional) steps S 206 a and S 206 b:
- the profile provisioning server 200 uses stored records of mappings between subscription profiles, matching identifiers and device identifiers, to validate that a subscription profile mapped to the received matching identifier is available for download that is not already associated with any device identifier and that the received device identifier has not previously been used in successful profile download of a subscription profile associated with the received matching identifier.
- the profile provisioning server 200 is then, in case of successful validation, configured to perform step S 206 b:
- the profile provisioning server 200 selects one of the available subscription profiles for download and store the mapping between the received device identifier and the selected subscription profile.
- Steps S 206 a and S 206 b might be performed as part of step S 206 .
- the profile provisioning server 300 verifies a hashed Confirmation Code unique per wireless device 500 a , 500 b , . . . , 500 N.
- the procedure for handling the subscription profile of the wireless device 500 a thus involves the profile provisioning server 300 to perform steps S 206 c , S 206 d , S 206 e:
- the profile provisioning server 300 obtains, from the wireless device 500 a , a hash of the confirmation code as part of the procedure for handling the subscription profile of the wireless device 500 a.
- the profile provisioning server 300 computes the hash of the confirmation code for the wireless device 500 a .
- the confirmation code for the wireless device 500 a is computed as the hash of the common confirmation code and a device identifier for the wireless device 500 a .
- the device identifier is provided as part of the procedure for handling the subscription profile of the wireless device 500 a.
- the profile provisioning server 300 verifies that the hash of the confirmation code received from the wireless device 500 a matches the computed hash of the confirmation code.
- Steps S 206 c , S 206 d , S 206 e might be performed as part of step S 206 prior to, after, or mixed with steps S 206 a and S 206 b.
- the batch profile handling parameter comprises a batch identifier generated by the MNO entity 200 as part of performing the preparation procedure and the profile provisioning server 300 obtains the batch identifier from the MNO entity 200 .
- the profile provisioning server 300 might register events with the SM-DS. That is, in some examples the profile provisioning server 300 is configured to perform step S 204 :
- the profile provisioning server 300 registers an event of the handling of the subscription profiles with an SM-DS.
- the matching identifier might be used as event identifiers. That is, according to some examples the at least one matching identifier is a common matching identifier for the set of wireless devices 500 a , 500 b , . . . , 500 N and is used as event identifier (of the event).
- the BID can be used as device identifier (instead of EID). That is, according to some examples the batch identifier is used as device identifier during registration of the event with the SM-DS.
- FIG. 8 illustrating a method for handling subscription profiles for a set of wireless devices 500 a , 500 b , . . . , 500 N as performed by the profile management entity 400 according to an embodiment.
- the profile management entity 400 obtains a common batch profile handling parameter for the set of wireless devices 500 a , 500 b , . . . , 500 N.
- the profile management entity 400 performs, with the profile provisioning server 300 and one of the wireless devices 500 a , 500 b , . . . , 500 N, a procedure for handling the subscription profile of the wireless device 500 a .
- the profile management entity 400 provides to the wireless device 500 a a message comprising the batch profile handling parameter and/or a matching identifier for tracking actions relating to the handling of the subscription profiles at the MNO entity 200 and the profile provisioning server 300 .
- the wireless device 500 a Upon receiving the message the wireless device 500 a provides to the profile provisioning server 300 a message comprising the matching identifier as signed by the wireless device 500 a.
- Embodiments relating to further details of handling subscription profiles for a set of wireless devices 500 a , 500 b , . . . , 500 N as performed by the profile management entity 400 will now be disclosed.
- the MNO entity 200 selects a common confirmation code for the set of wireless devices 500 a , 500 b , . . . , 500 N.
- the profile management entity 400 might be configured to perform step S 304 :
- the profile management entity 400 securely obtains, from the MNO entity 200 , a common confirmation code for the set of wireless devices 500 a , 500 b , . . . , 500 N.
- the profile management entity 400 delivers to each wireless device 500 a , 500 b , . . . , 500 N in the set of wireless devices 500 a , 500 b , . . . , 500 N, the common confirmation code.
- the common confirmation code might, for example, be provided along with the batch handling parameter in the message provided by the profile management entity 400 to the wireless device 500 a in step S 308 .
- the profile management entity 400 can be configured to deliver to each wireless device 500 a , 500 b , . . . , 500 N in the set of wireless devices 500 a , 500 b , . . . , 500 N a device specific confirmation code.
- the profile management entity 400 might be configured to perform steps S 304 a -S 304 b:
- the profile management entity 400 obtains, from the wireless device 500 a , a device identifier for the wireless device 500 a.
- the profile management entity 400 computes the confirmation code for the wireless device 500 a .
- the confirmation code for the wireless device 500 a is computed as the hash of the common confirmation code and the device identifier for the wireless device 500 a.
- the profile management entity 400 provides, to the wireless device 500 a , the device specific confirmation code for the wireless device 500 a .
- the device specific confirmation code might, for example, be provided along with the batch handling parameter in the message provided by the profile management entity 400 to the wireless device 500 a in step S 308 .
- the batch profile handling parameter comprises a batch identifier generated by the MNO entity 200 .
- the profile management entity 400 might obtain the batch identifier from the MNO entity 200 .
- the batch identifier is used as device identifier during registration of an event with the SM-DS.
- a wireless device 500 a with a LPAd might obtain the event using the BID.
- the wireless device 500 a then extracts the event identifier for use as the matching identifier. Therefore, according to some examples the batch identifier is provided, by the profile management entity 400 , to each wireless device 500 a in the set of wireless devices 500 a , 500 b , . . . , 500 N.
- the profile management entity 400 might, in the LPAd split case, obtain the event using the BID, extract the event identifier and provide it to each wireless device 500 a as the common matching identifier. Particularly, in some examples the profile management entity 400 is configured to perform step S 308 a as part of step S 308 :
- the profile management entity 400 obtains the common matching identifier to be provided in a message to each wireless device 500 a for use in the procedure for handling the subscription profile at the wireless device 500 a.
- the profile management entity 400 might perform with a first wireless device 500 a of the set of wireless devices 500 a , 500 b , . . . , 500 N that registers with the profile management entity 400 steps S 308 aa and S 308 ab and with the SM-DS steps S 308 ac and S 308 ad as part of step S 308 a:
- S 308 aa (optional): The profile management entity 400 sends, to the first wireless device 500 a , a request message comprising the batch identifier.
- the profile management entity 400 receives, from the first wireless device 500 a , a response message comprising a signature computed over the batch identifier, and the device identifier.
- the profile management entity 400 sends, to the SM-DS, a request to check for events at the SM-DS that are valid for the first wireless device 500 a and valid for the set of wireless devices 500 a , 500 b , . . . , 500 N identified by the batch identifier.
- the request comprises the batch identifier, the signature computed over the batch identifier, and the device identifier.
- the profile management entity 400 receives, from the SM-DS, a response comprising an event and checking that the event matches the intended profile handling procedure.
- the profile management entity 400 extracts the event identifier for use as the matching identifier.
- the batch profile handling parameter comprises an activation code for the set of wireless devices 500 a , 500 b , . . . , 500 N generated by the MNO entity 200 .
- the profile management entity 400 might obtain the activation code from the MNO entity 200 .
- the AC might be obtained by the profile management entity 400 , where the LPApr is provided in the profile management entity 400 .
- the activation code comprises a common matching identifier, and the matching identifier is used in the procedure for profile handling for each wireless device 500 a in the set of wireless devices 500 a , 500 b , . . . , 500 N.
- the activation code comprises a range of matching identifiers.
- the profile management entity 400 might then be configured to perform (optional) step S 322 :
- the profile management entity 400 assigns one matching identifier from the range of matching identifiers per wireless device 500 a from the set of wireless devices 500 a , 500 b , . . . , 500 N, such that each wireless device 500 a in the set of wireless devices 500 a , 500 b , . . . , 500 N uses a unique matching identifier in the procedure for profile handling.
- the AC might be obtained by the profile management entity 400 , where the complete LPAd is provided in the wireless device 500 a .
- the activation code comprises a common matching identifier.
- the profile management entity 400 might then forward, to each wireless device 500 a in the set of wireless devices 500 a , 500 b , . . . , 500 N, the activation code.
- the activation code is then comprised in the message provided from the profile management entity 400 to the wireless device 500 a in step S 308 .
- the profile management entity 400 might be configured to perform step S 306 to select a unique matching identifier for each wireless device 500 a from the set of wireless devices 500 a , 500 b , . . . , 500 N and forward the activation code and the matching identifier to the wireless device 500 a.
- the activation code and the selected matching identifier are typically part of the message provided by the profile management entity 400 to the wireless device 500 a in step S 308 .
- FIG. 9 illustrating a method for handling a subscription profile for a wireless device 500 a as performed by the wireless device 500 a according to an embodiment.
- the wireless device 500 a performs, with the profile management entity 400 and a profile provisioning server 300 , a procedure for handling the subscription profile of the wireless device 500 a .
- the wireless device 500 a obtains from the profile management entity 400 a message comprising a batch profile handling parameter and/or a matching identifier.
- the batch profile handling parameter is common for a set of wireless devices 500 a , 500 b , . . . , 500 N to which the wireless device 500 a belongs.
- the set of wireless devices 500 a , 500 b , . . . , 500 N are associated with at least one matching identifier for tracking actions relating to the handling of the subscription profiles at an MNO entity 200 and the profile provisioning server 300 .
- the wireless device 500 a Upon receiving the message, the wireless device 500 a provides to the profile provisioning server 300 a message comprising the matching identifier as signed by the wireless device 500 a.
- the handling pertains to subscription download to the set of wireless devices 500 a , 500 b , . . . , 500 N.
- the handling pertains to remote profile management of the set of wireless devices 500 a , 500 b , . . . , 500 N.
- the set of wireless devices 500 a , 500 b , . . . , 500 N are bound to a common batch profile handling parameter.
- a common confirmation code is selected for the set of wireless devices 500 a , 500 b , . . . , 500 N.
- the profile provisioning server 300 verifies the hashed Confirmation Code as unique per wireless device 500 a , 500 b , . . . , 500 N.
- the wireless device 500 a when having an LPAd, might then be configured to provide, to the profile provisioning server 300 , a hash of the confirmation code to the profile provisioning server 300 as part of the procedure for handling the subscription profile of the wireless device 500 a.
- the batch profile handling parameter comprises a batch identifier generated by the MNO entity 200 as part of performing the preparation procedure.
- the batch identifier is used as device identifier during registration with the SM-DS of an event of the handling of the subscription profiles.
- a wireless device 500 a with a LPAd might obtain the event using the BID.
- the batch identifier is obtained from the profile management entity 400 .
- the procedure for handling the subscription profile at the wireless device 500 a might then involve the wireless device 500 a to perform step S 402 a:
- S 402 a (optional): The wireless device 500 a obtains the matching identifier for use when sending a message to the profile provisioning server 300 by performing steps S 402 aa and S 402 ab:
- the wireless device 500 a sends, to the SM-DS, a request message to check for events at the SM-DS that are valid for the wireless device 500 a and valid for the set of wireless devices 500 a , 500 b , . . . , 500 N identified by the batch identifier.
- the request comprises the batch identifier, a signature computed over the batch identifier, and the device identifier.
- the wireless device 500 a receives, from the SM-DS, a response message comprising an event, whereupon the wireless device 500 a checks that the event matches the profile handling procedure, and extracts the event identifier for use as the matching identifier.
- a wireless device 500 a might, in the LPAd split case, aid the profile management entity 400 in obtaining the event using the BID.
- the wireless device 500 a is configured to perform steps S 402 b -S 402 d:
- S 402 b (optional): The wireless device 500 a receives a request message comprising the batch identifier. Upon receiving this message the wireless device 500 a performs steps S 402 c and S 402 d:
- the wireless device 500 a provides a response message comprising the signature computed over the batch identifier, and the device identifier.
- the batch profile handling parameter comprises an activation code for the set of wireless devices 500 a , 500 b , . . . , 500 N generated by the MNO entity 200 .
- the AC might be obtained by the profile management entity 400 , where the LPApr is provided in the profile management entity 400 .
- the activation code comprises a common matching identifier, and the matching identifier is used in the procedure for profile handling for each wireless device 500 a in the set of wireless devices 500 a , 500 b , . . . , 500 N.
- the activation code comprises a range of matching identifiers, and wherein one matching identifier from the range of matching identifiers is assigned per wireless device 500 a from the set of wireless devices 500 a , 500 b , . . . , 500 N, such that each wireless device 500 a in the set of wireless devices 500 a , 500 b , . . . , 500 N uses a unique matching identifier in the procedure for profile handling.
- the AC might be obtained by the profile management entity 400 , where the complete LPAd is provided in the wireless device 500 a .
- the activation code comprises a common matching identifier.
- the wireless device 500 a might then obtain, from the profile management entity 400 , the activation code.
- the activation code is then comprised in the message obtained by the wireless device 500 a from the profile management entity 400 in step S 402 .
- the activation code comprises a range of matching identifiers.
- the wireless device 500 a might then obtain, from the profile management entity 400 , the activation code and a matching identifier selected by the profile management entity 400 .
- the activation code and matching identifier are then comprised in the message obtained by the wireless device 500 a from the profile management entity 400 in step S 402 .
- the activation code comprises a common matching identifier for the set of wireless devices 500 a , 500 b , . . . , 500 N, and the common matching identifier is the batch identifier. That is, in some examples where the activation code is used, the Matching identifier is the BID.
- the GSMA RSP specification valid for a single wireless device 500 a , 500 b , . . . , 500 N is extended to, at one time, handle a set of wireless devices 500 a , 500 b , . . . , 500 N.
- the enterprise requests 3GPP identities (and order subscriptions) for a set of wireless devices 500 a , 500 b , . . . , 500 N from the MNO entity 200 (message: “ProfileBatchOrdering (NbrOfDev, device info)”).
- the enterprise provides information about the wireless devices 500 a , 500 b , . . . , 500 N.
- the information could pertain to the number of wireless devices 500 a , 500 b , . . . , 500 N and the type of wireless devices 500 a , 500 b , . . . , 500 N (e.g. if the wireless devices 500 a , 500 b , . . .
- the enterprise may also specify the information on the requested profile. If device identifiers, such as EID and/or IMEI, are available to the enterprise they may also be specified. Based on the information from the enterprise the MNO entity 200 selects a profile type (procedure: “Select Profile Type”). The MNO entity 200 may also at this point generate a batch identifier (procedure: “Generate batch identifier (BID)”).
- the batch identifier is an identifier for use by the enterprise to identify the set of wireless devices 500 a , 500 b , . . . , 500 N and may also be used between the MNO entity 200 SM-DP+ 300 during the batch ordering procedure. Alternatively, two different batch identifiers may be used for these two different purposes.
- the MNO entity 200 places a batch download order (message: “DownloadBatchOrder (NbrOfDev, Profile Type, [BID], [ICCIDs], [IMSIs], [IEDs])”) at the SM-DP+ 300 .
- the MNO entity 200 provides the number of wireless device 500 a , 500 b , . . . , 500 N and the profile type in the request, and might also provide EIDs, if available from the enterprise, BID, if generated by the MNO entity 200 , IMSI range for the profiles, if not already known to SM-DP+ 300 , and ICCID list or range. If the MNO entity 200 provides ICCID values then the first value in ICCID list/range might be associated with the first value in the EID list/range if it is provided.
- the request is processed at the SM-DP+ 300 (procedure: “Reserve ICCIDs”). If a list or range of ICCID values is provided, the SM-DP+ 300 checks in its inventory if these ICCID values are available. If not, or if no ICCID values are provided by the MNO entity 200 , the SM-DP+ 300 reserves available ICCID values from its inventory. The SM-DP+ 300 then generates the profile packages to be sent to the wireless devices 500 a , 500 b , . . . , 500 N containing the profile data (procedure: “Generate profile packages”).
- a profile package template based on the profile type is typically used that is then populated with profile individual data such as ICCID, IMSI, subscriber key, personal identification (PIN) code, and personal unlocking key (PUK) code.
- IMSI values from the MNO entity 200 as used when generating the profile packages are either obtained in the request or are already available to the SM-DP+ 300 . If IMSI values are known to the SM-DP+ 300 ahead of the DownloadBatchOrder request then a set of profile packages may also have been pre-generated and stored in the SM-DP+ 300 database. The SM-DP+ 300 can in this case pick profile packages from its storage, if the profile type is correct.
- New entries one for each profile given by its ICCID, are stored in the database of the SM-DP+ 300 linking together each ICCID with the BID (if available) and an EID value, if such values have been provided.
- the life-cycle state of each profile entry is set to “allocated” (if EID is not available) or “linked” (if EID is available).
- the SM-DP+ 300 responds with the BID (if available in the request) and profile data (message: “[BID], ICCIDs, [Profile data]”).
- the profile data is relevant individual data such as ICCID, IMSI, subscription key, and PUK for each of the profiles.
- a response to the DownloadBatchOrder request is provided with BID and/or ICCID values and there is another request made for fetching profile data that then can be called at a later time when all profile packages have been generated.
- the MNO entity 200 may generate Matching identifier(s) (procedure: “Generate Matching identifier(s)”).
- a common Matching identifier is used for the complete set of wireless devices 500 a , 500 b , . . . , 500 N.
- a range of Matching identifiers are allocated, one for each profile download.
- the MNO entity 200 confirms the batch order request to confirm the profile download orders (message: “ConfirmBatchOrder ([BID], [ICCIDs], [EIDs], [Matching identifier(s)], [Confirmation Code], [SM-DS address], releaseflag)”).
- the MNO entity 200 may include the batch identifier in the request to identify the set of profiles at the SM-DP+ 300 . If no BID is available, the ICCID list/range is included. If Matching identifier(s) have been generated they are included as well.
- the EID values may be included here instead and a common confirmation code for the whole set of wireless devices 500 a , 500 b , . . . , 500 N and the SM-DS address if the SM-DS event mechanism is to be used.
- a release flag is also included indicating whether the profiles are ready to be released (HSS provisioning has been done and the profiles are ready for download) or not.
- the SM-DP+ 300 selects a common Matching identifier or a range of Matching identifiers, depending on the embodiment (procedure: “Generate Matching identifier(s)”). The SM-DP+ 300 then populates the profile database entries related to the batch with Matching identifier(s) and EIDs and Confirmation Code, if provided. If the release flag is set to true, the life-cycle state of each profile is set to released. If the release flag is set to false, the life-cycle state may be updated to “linked” if EID values are provided. The selected Matching identifier(s) and SM-DP+ address (optional) is returned in response to the MNO entity 200 (message: “Matching identifier(s), [SM-DP+ address]”).
- the MNO entity 200 might then generate the activation code (AC) (procedure: “Create Activation Code (AC)”).
- AC activation code
- the standard format as described in the GSMA RSP specification is reused.
- the standard AC format is extended with the number of wireless devices 500 a , 500 b , . . . , 500 N in the set. For example, the number of wireless devices 500 a , 500 b , . . . , 500 N might follow after the Matching identifier with the delimiter “$” in between:
- the MNO entity 200 If not already generated, the MNO entity 200 also generates a BID (procedure: “Generate batch identifier (BID)”). The MNO entity 200 then returns the AC and/or the batch identifier to the enterprise as part of finalizing the subscription (profile ordering) contract (message: “[AC], BID, [Confirmation Code]”).
- BID Genedure: “Generate batch identifier
- the common Matching identifier is chosen to be the BID value. This could be the case when using the Activation Code for triggering profile download and where the LPApr/LPAd can extract the BID from the AC for later use with the SM-DS mechanism for checking for events for download of RPM operations.
- the MNO entity 200 might send a request to the SM-DP+ 300 once the provisioning has been performed such that the SM-DP+ 300 can set the profiles in state “released” (procedure: “Provision HSS with subscription data”, messages: “ReleaseBatchOfProfiles ([BID], [ICCIDs])”, “Result”). If release status was already confirmed in ConfirmBatchOrder then this step can be omitted.
- the event registration is performed (messages: “Register Event (Matching identifier, BID)”, “Result”).
- Event registration can be performed where the Matching identifier is used as EventID and the batch identifier is used as identifier (instead of the EID).
- the event becomes a common event for use by all the wireless devices 500 a , 500 b , . . . , 500 N in the set and will not be removed by the SM-DP+ 300 until all profiles in the set have been downloaded.
- This mechanism can be used independently if the EID values are known or not.
- the alternative with one matching identifier per wireless device 500 a , 500 b , . . . , 500 N in the set should not be used with SM-DS registration mechanism unless the EID values are known for each wireless device 500 a , 500 b , . . . , 500 N.
- the known event registration mechanisms can be used and one event per wireless device 500 a , 500 b , . . . , 500 N is registered with its EID and corresponding Matching identifier from the SM-DP+ 300 database.
- the set up for the SM-DS can be global with multiple SM-DP+ providers sharing the same SM-DS.
- the BID might then be needed to be unique for such cases. Since the BID is generated by the MNO entity 200 the BID can be composed of a random number and a prefix value unique per MNO entity 200 .
- the 32-digit EID format may be used also for the BID with some modifications to prevent the BID to collide with an existing EID value and to be globally unique. For example, one or more country code as encoded by digits 3 to 5 may be reserved for BIDs.
- digits 6 to 8 and digits 9 to 11 may encode the mobile country code (MCC) and mobile network code (MNC) of the MNO entity 200 that generated the BID. This leaves digits 12 to 30 for the random number (digits 31 and 32 are checksum digits).
- MCC mobile country code
- MNC mobile network code
- either the enterprise or the MNO entity 200 itself can cause one or more RPM operation to be ordered (message: “Order RPM operation (batch identifier)”).
- the MNO entity 200 may generate Matching identifier(s) for the RPM operation(s) to be used with the SM-DP+ 300 (procedure: “Generate Matching identifiers)”).
- a common Matching identifier is used for the complete set of wireless devices 500 a , 500 b , . . . , 500 N.
- a range of Matching identifiers is allocated, one for each wireless device 500 a , 500 b , . . . , 500 N in the set.
- the MNO entity 200 orders one or more RPM operations for the set of wireless devices 500 a , 500 b , . . . , 500 N from the SM-DP+ 300 (message: “RpmBatchOrder ([BID], [NbrOfDev], [ICCIDs], [EIDs], rpmscript, [Matching identifier(s)], [SM-DS address])”).
- RpmBatchOrder [BID], [NbrOfDev], [ICCIDs], [EIDs], rpmscript, [Matching identifier(s)], [SM-DS address]
- the MNO entity 200 provides an RPM script containing RPM commands (or operations) to be performed.
- the MNO entity 200 also provides the ICCID values of the profiles upon which the RPM commands shall be performed, the EID values of the wireless devices 500 a , 500 b , . . .
- the MNO entity 200 may also provide the Matching identifier(s) (if available) and the SM-DS address (if SM-DS event mechanism is to be used).
- the SM-DP+ 300 prepares the RPM packages for each of the wireless devices 500 a , 500 b , . . . , 500 N in the set using the provided (template) RPM script and inserting the ICCID value matching to each wireless device 500 a , 500 b , . . . , 500 N (procedure: “Prepare RPM packages”). If not already received from the MNO entity 200 , or if the values received are not available, the SM-DP+ 300 selects a common Matching identifier or a range of Matching identifiers, depending on the embodiment (procedure: “Generate matching identifier(s)”). The SM-DP+ 300 then populates the profile database entries related to the set of wireless devices 500 a , 500 b , . . . , 500 N with Matching identifier(s), EIDs, and the RPM packages.
- SM-DS event mechanism If SM-DS event mechanism is to be used to trigger RPM operations to be executed then event registration is performed. Two alternatives are possible (ALT 1 messages: “Register Event (Matching identifier, BID)” and “Result” or ALT 2 messages: “Register Event (Matching identifier_i, EID), Result”).
- the Matching identifier is used as EventID and the BID is used as identifier (instead of the EID).
- the event becomes a common event for use by all wireless devices 500 a , 500 b , . . .
- the database of the profile provisioning server 200 holds as many profile entries as the number of wireless devices 500 a , 500 b , . . . , 500 N in the set and where all profile entries are mapped to the common matching identifier and are all in life-cycle state “released”.
- the EID values are not yet known and not present in the profile entries in the database.
- Profile download is triggered when a wireless device 500 a registers with the profile management entity.
- the profile management entity starts the profile download (in the case an activation code is available) or checks for an SM-DS event for profile download using the batch identifier (BID).
- the wireless device 500 a is configured by the management server with an activation code or BID as part of device configuration. Depending on this configuration, the wireless device 500 a will either check for an SM-DS event for profile download to obtain the matching identifier or directly start profile download using the matching identifier from the activation code.
- the SM-DS event mechanism is described in more detail below.
- the SM-DS event retrieval only has to be done once (for the first wireless device 500 a that registers with the profile management entity) to obtain the common matching identifier.
- the procedure for profile download between each wireless device 500 a and the profile provisioning server 200 follows the standard GSMA RSP protocol for profile download, with modifications and via the profile management entity 300 in the LPAd split case, using the common matching identifier.
- the matching identifier is signed by the wireless device 500 a , linking the matching identifier to the EID (in an AuthenticateServerResponse message).
- the profile provisioning server 200 checks whether there is an available profile for download for the given wireless device 500 a by examining the matching identifier and EID.
- the profile provisioning server 200 searches for profile entries in “released” state with the received matching identifier. If no entry is available an error is generated and the profile download request is rejected.
- the profile provisioning server 200 If one or more such entries are present then it is checked if one of these entries is already mapped to the received EID. If this is the case, the profile provisioning server 200 assumes it is an ongoing profile download session that went wrong (i.e. was interrupted) the previous time and a new attempt is now made. The selected profile entry is then chosen, and profile download continues. If there is no entry already mapped to this EID, but entries that are not already mapped to an EID are available, then it is checked by the profile provisioning server 200 that this EID has not already been used once to download a profile for the given set of wireless devices 500 a , 500 b , . . . , 500 N.
- the profile management entity 300 ensures that the matching identifier is unique in the profile download for each wireless device 500 a .
- the checks performed by the profile provisioning server 200 as described to ensure each wireless device 500 a receives a unique profile and that a wireless device 500 a can only download one profile per batch) above are valid also in this case.
- the profile provisioning server 200 database includes as many profile entries as the number of wireless devices 500 a , 500 b , . . . , 500 N in the set and that each profile entry is mapped to a Matching identifier (either the common Matching identifier or a unique Matching identifier from the range of Matching identifiers), is in life-cycle state “installed”, is associated with an RPM package for download, and is mapped to the EID value of the iUICC/eUICC where the profile resides.
- a Matching identifier either the common Matching identifier or a unique Matching identifier from the range of Matching identifiers
- the SM-DS event mechanism is used to trigger download of RPM operations, and the LPApr or LPAd is configured with the common BID for the whole set of wireless devices 500 a , 500 b , . . . , 500 N and periodically checks for events.
- the EID may be used to check for events.
- the LPAd split case if a common Matching identifier is used then it is enough to perform the check for events only when the first wireless device 500 a belonging to the set registers. With the BID a common Matching identifier is used, but when the EID is used the Matching identifier may be common for all wireless devices 500 a , 500 b , . . . , 500 N in the set or not. In case of different Matching identifiers then the LPApr should check for events for all the wireless devices 500 a , 500 b , . . . , 500 N in the set.
- the LPApr/LPAd triggers download and execution of an RPM package.
- download and execution of an RPM package can be triggered through an Activation Code valid for the whole set of wireless devices 500 a , 500 b , . . . , 500 N and configured to the profile management entity 400 by the enterprise.
- the actual download and execution of the RPM package might then be performed according to the GSMA RSP specification and the Matching identifier obtained from the AC or through the SM-DS mechanism (i.e. the EventID) can be used.
- the SM-DP+ 300 might use the received Matching identifier (either common Matching identifier for the whole set of wireless devices 500 a , 500 b , . . . , 500 N or individual per device) and the EID to locate the correct profile entry in its database and the corresponding RPM package.
- the received Matching identifier either common Matching identifier for the whole set of wireless devices 500 a , 500 b , . . . , 500 N or individual per device
- the SM-DS searches for events for an iUICC/eUICC of a wireless device 500 a , 500 b , . . . , 500 N based on the EID, which it obtains during common mutual authentication with each wireless device 500 a , 500 b , . . . , 500 N.
- the SM-DS thus searches its database for event records for the given EID. If any events are available, these events are signed using the SM-DS private key and passed to the LPApr/LPAd.
- the LPApr/LPAd then uses the iUICC/eUICC to verify the SM-DS signature. If the verification is successful the LPApr/LPAd starts to process the list of event records.
- the following is performed in order to allow an LPApr/LPAd to check for events registered using a common BID.
- the so-called CtxParams1 field of an AuthenticateServerRequest message prepared by the LPApr/LPAd is extended to include the BID as an optional parameter.
- the BID is included as part of the CtxParamsForCommonAuthentication in the CtxParams1.
- the CtxParams1 is signed by the iUICC/eUICC as part of the AuthenticateServerResponse.
- the SM-DS Upon successful parsing and verification of the AuthenticateServerResponse, if the SM-DS finds a BID included as part of CtxParamsForCommonAuthentication, then the BID is used instead of the extracted EID to search for event records in the SM-DS database.
- the verification of the AuthenticateServerResponse proves to the SM-DS that the request comes from a wireless device 500 a , 500 b , . . . , 500 N equipped with a legitimate iUICC/eUICC.
- the signature covering also the BID proves to the SM-DS the knowledge of the BID.
- the value of the BID should be handled with care by the enterprise, the MNO entity 200 , the SM-DP+ 400 , and the SM-DS in order to prevent unauthorized access to the BID as well as unauthorized profile download.
- the BID might therefore be transferred on encrypted links between these entities.
- a Confirmation Code might be used for profile download, thereby preventing unauthorized profile download if the BID value has leaked. In the case of RPM operations there is no need to use a Confirmation Code.
- the GSMA RSP consumer variant specification defines the concept of a Confirmation Code that is a secret value transferred out of band from the MNO entity 200 to the device owner/user and that is then provided to the LPApr/LPAd.
- the Confirmation Code which is optional, is used to prove to the SM-DP+ 300 that a wireless device 500 a , 500 b , . . . , 500 N is authorized for profile download.
- any wireless device 500 a , 500 b , . . . , 500 N with a legitimate iUICC/eUICC that knows the common Matching identifier (or one of the individual Matching identifiers for the set of wireless device 500 a , 500 b , . . . , 500 N if this option is used) can contact the SM-DP+ 300 for profile download.
- the Matching identifier(s) should be securely stored and handled with care at each entity such that it does not leak allowing unauthorized profile downloads. Further, the Matching identifier(s) should be given non-trivial values. For example, the Matching identifier(s) might be given random values. The size of the Matching identifier might be have a length (e.g. at least 10 characters) such that the probability of guessing the correct value is comparatively low.
- the SM-DP+ 300 might implement limits on the number of attempts for profile download a wireless device 500 a , 500 b , . . . , 500 N with a legitimate iUICC/eUICC may perform per minute (using different Matching identifier) and also a maximum number of attempts.
- the BID is used to retrieve the EventID, which then serves as the common Matching identifier.
- the BID is intended as a long-lived identifier of the set of wireless devices 500 a , 500 b , . . . , 500 N throughout its life-time. Any wireless device 500 a , 500 b , . . . , 500 N with a legitimate iUICC/eUICC that knows the BID can retrieve the SM-DS events valid for the set of wireless devices 500 a , 500 b , . . . , 500 N.
- the BID should be kept secret until profile download has been completed for all wireless devices 500 a , 500 b , . . . , 500 N in the set.
- SM-DS event mechanism is used for profile download (and a Confirmation Code is not used) the above details regarding how to keep Matching identifier a secret is also valid for the BID.
- the SM-DS event mechanism is not originally designed to handle secrets.
- the SM-DS event mechanism commonly handles EIDs and EventIDs that are not considered secret.
- the Confirmation code might be selected by the MNO entity 200 and securely provided to the enterprise and the SM-DP+ 300 .
- the Confirmation Code is provided to the profile management entity 400 (LPApr in the LPAd split case) by the enterprise and might in the LPAd case be obtained by each wireless device 500 a , 500 b , . . . , 500 N from the profile management entity 400 along with the BID and/or AC.
- the Confirmation Code is hashed with the transaction identifier by the LPAd/LPApr and is then signed by the iUICC/eUICC and provided to the SM-DP+ 300 as part of the so-called PrepareDownloadResponse structure.
- the SM-DP+ 300 computes the hash of the Confirmation Code and the transaction identifier and checks that it matches the signed hash.
- the Confirmation Code is provided to each wireless device 500 a , 500 b , . . . , 500 N of the set, there might be an increased risk that the Confirmation Code leaks.
- the Confirmation Code is first hashed with the EID of each wireless device 500 a , 500 b , . . . , 500 N by the profile management entity 400 and this hash is then provided as a device specific secret to each device. The LPAd then uses this hash in place of the ordinary Confirmation Code while performing the profile download.
- the SM-DP+ 300 is then configured accordingly when verifying the Confirmation Code. That is, the SM-DP+ 300 might first compute the hash of the Confirmation Code and the EID, then compute another hash of this first hash concatenated with the transaction identifier, and then check that the second hash matches what was signed by the iUICC/eUICC. This alternative might also be used also in the LPApr case, even though the Confirmation Code then never leaves LPApr.
- FIG. 12 schematically illustrates, in terms of a number of functional units, the components of an MNO entity 200 according to an embodiment.
- Processing circuitry 210 is provided using any combination of one or more of a suitable central processing unit CPU, multiprocessor, microcontroller, digital signal processor DSP, etc., capable of executing software instructions stored in a computer program product 2010 a as in FIG. 20 , e.g. in the form of a storage medium 230 .
- the processing circuitry 210 may further be provided as at least one application specific integrated circuit ASIC, or field programmable gate array FPGA.
- the processing circuitry 210 is configured to cause the MNO entity 200 to perform a set of operations, or steps, as disclosed above.
- the storage medium 230 may store the set of operations
- the processing circuitry 210 may be configured to retrieve the set of operations from the storage medium 230 to cause the MNO entity 200 to perform the set of operations.
- the set of operations may be provided as a set of executable instructions.
- the processing circuitry 210 is thereby arranged to execute methods as herein disclosed.
- the storage medium 230 may also comprise persistent storage, which, for example, can be any single one or combination of magnetic memory, optical memory, solid state memory or even remotely mounted memory.
- the MNO entity 200 may further comprise a communications interface 220 for communications with other entities, nodes, functions, devices, and servers.
- the communications interface 220 may comprise one or more transmitters and receivers, comprising analogue and digital components.
- the processing circuitry 210 controls the general operation of the MNO entity 200 e.g. by sending data and control signals to the communications interface 220 and the storage medium 230 , by receiving data and reports from the communications interface 220 , and by retrieving data and instructions from the storage medium 230 .
- Other components, as well as the related functionality, of the MNO entity 200 are omitted in order not to obscure the concepts presented herein.
- FIG. 13 schematically illustrates, in terms of a number of functional modules, the components of an MNO entity 200 according to an embodiment.
- the MNO entity 200 of FIG. 13 comprises a number of functional modules; an obtain module 210 a configured to perform step S 102 , and a prepare module 210 b configured to perform step S 104 .
- the MNO entity 200 of FIG. 13 may further comprise a number of optional functional modules, such as any of a select module 210 c configured to perform step S 104 a , and a provide module 210 d configured to perform step S 104 b .
- each functional module 210 a - 210 d may be implemented in hardware or in software.
- one or more or all functional modules 210 a - 210 d may be implemented by the processing circuitry 210 , possibly in cooperation with the communications interface 220 and the storage medium 230 .
- the processing circuitry 210 may thus be arranged to from the storage medium 230 fetch instructions as provided by a functional module 210 a - 210 d and to execute these instructions, thereby performing any steps of the MNO entity 200 as disclosed herein.
- FIG. 14 schematically illustrates, in terms of a number of functional units, the components of a profile provisioning server 300 according to an embodiment.
- Processing circuitry 310 is provided using any combination of one or more of a suitable central processing unit CPU, multiprocessor, microcontroller, digital signal processor DSP, etc., capable of executing software instructions stored in a computer program product 2010 b as in FIG. 20 , e.g. in the form of a storage medium 330 .
- the processing circuitry 310 may further be provided as at least one application specific integrated circuit ASIC, or field programmable gate array FPGA.
- the processing circuitry 310 is configured to cause the profile provisioning server 300 to perform a set of operations, or steps, as disclosed above.
- the storage medium 330 may store the set of operations
- the processing circuitry 310 may be configured to retrieve the set of operations from the storage medium 330 to cause the profile provisioning server 300 to perform the set of operations.
- the set of operations may be provided as a set of executable instructions.
- the processing circuitry 310 is thereby arranged to execute methods as herein disclosed.
- the storage medium 330 may also comprise persistent storage, which, for example, can be any single one or combination of magnetic memory, optical memory, solid state memory or even remotely mounted memory.
- the profile provisioning server 300 may further comprise a communications interface 320 for communications with other entities, nodes, functions, devices, and servers.
- the communications interface 320 may comprise one or more transmitters and receivers, comprising analogue and digital components.
- the processing circuitry 310 controls the general operation of the profile provisioning server 300 e.g. by sending data and control signals to the communications interface 320 and the storage medium 330 , by receiving data and reports from the communications interface 320 , and by retrieving data and instructions from the storage medium 330 .
- Other components, as well as the related functionality, of the profile provisioning server 300 are omitted in order not to obscure the concepts presented herein.
- FIG. 15 schematically illustrates, in terms of a number of functional modules, the components of a profile provisioning server 300 according to an embodiment.
- the profile provisioning server 300 of FIG. 15 comprises a number of functional modules; a prepare module 310 a configured to perform step S 202 , and a handle module 310 d configured to perform step S 206 .
- the profile provisioning server 300 of FIG. 15 comprises a number of functional modules; a prepare module 310 a configured to perform step S 202 , and a handle module 310 d configured to perform step S 206 .
- 15 may further comprise a number of optional functional modules, such as any of an obtain module 310 b configured to perform step S 202 a , a register module 310 c configured to perform step S 204 , a validate module 310 e configured to perform step S 206 a , a select module 310 f configured to perform step S 206 b , an obtain module 310 g configured to perform step S 206 a , a compute module 310 h configured to perform step S 206 b , and a verify module 310 i configured to perform step S 206 c.
- optional functional modules such as any of an obtain module 310 b configured to perform step S 202 a , a register module 310 c configured to perform step S 204 , a validate module 310 e configured to perform step S 206 a , a select module 310 f configured to perform step S 206 b , an obtain module 310 g configured to perform step S 206 a , a compute module 310 h configured
- each functional module 310 a - 310 i may be implemented in hardware or in software.
- one or more or all functional modules 310 a - 310 i may be implemented by the processing circuitry 310 , possibly in cooperation with the communications interface 320 and the storage medium 330 .
- the processing circuitry 310 may thus be arranged to from the storage medium 330 fetch instructions as provided by a functional module 310 a - 310 i and to execute these instructions, thereby performing any steps of the profile provisioning server 300 as disclosed herein.
- FIG. 16 schematically illustrates, in terms of a number of functional units, the components of a profile management entity 400 according to an embodiment.
- Processing circuitry 410 is provided using any combination of one or more of a suitable central processing unit CPU, multiprocessor, microcontroller, digital signal processor DSP, etc., capable of executing software instructions stored in a computer program product 2010 c as in FIG. 20 , e.g. in the form of a storage medium 430 .
- the processing circuitry 410 may further be provided as at least one application specific integrated circuit ASIC, or field programmable gate array FPGA.
- the processing circuitry 410 is configured to cause the profile management entity 400 to perform a set of operations, or steps, as disclosed above.
- the storage medium 430 may store the set of operations
- the processing circuitry 410 may be configured to retrieve the set of operations from the storage medium 430 to cause the profile management entity 400 to perform the set of operations.
- the set of operations may be provided as a set of executable instructions.
- the processing circuitry 410 is thereby arranged to execute methods as herein disclosed.
- the storage medium 330 may also comprise persistent storage, which, for example, can be any single one or combination of magnetic memory, optical memory, solid state memory or even remotely mounted memory.
- the profile management entity 400 may further comprise a communications interface 420 for communications with other entities, nodes, functions, devices, and servers.
- the communications interface 420 may comprise one or more transmitters and receivers, comprising analogue and digital components.
- the processing circuitry 410 controls the general operation of the profile management entity 400 e.g. by sending data and control signals to the communications interface 420 and the storage medium 430 , by receiving data and reports from the communications interface 420 , and by retrieving data and instructions from the storage medium 430 .
- Other components, as well as the related functionality, of the profile management entity 400 are omitted in order not to obscure the concepts presented herein.
- FIG. 17 schematically illustrates, in terms of a number of functional modules, the components of a profile management entity 400 according to an embodiment.
- the profile management entity 400 of FIG. 17 comprises a number of functional modules; an obtain module 410 a configured to perform step S 302 , and a handle module 410 f configured to perform step S 308 .
- the profile management entity 400 of FIG. 17 comprises a number of functional modules; an obtain module 410 a configured to perform step S 302 , and a handle module 410 f configured to perform step S 308 .
- 17 may further comprise a number of optional functional modules, such as any of an obtain module 410 b configured to perform step S 304 , an obtain module 410 c configured to perform step S 304 a , a compute module 410 d configured to perform step S 304 b , an assign module 410 e configured to perform step S 306 , an obtain module 410 g configured to perform step S 308 a , a send module 410 h configured to perform step S 308 aa , a receive module 410 i configured to perform step S 308 ab , a send module 410 j configured to perform step S 308 ac , and a receive module 410 k configured to perform step S 308 ad.
- optional functional modules such as any of an obtain module 410 b configured to perform step S 304 , an obtain module 410 c configured to perform step S 304 a , a compute module 410 d configured to perform step S 304 b , an assign module 410 e configured to perform step
- each functional module 410 a - 410 k may be implemented in hardware or in software.
- one or more or all functional modules 410 a - 410 k may be implemented by the processing circuitry 410 , possibly in cooperation with the communications interface 420 and the storage medium 430 .
- the processing circuitry 410 may thus be arranged to from the storage medium 430 fetch instructions as provided by a functional module 410 a - 410 k and to execute these instructions, thereby performing any steps of the profile management entity 400 as disclosed herein.
- FIG. 18 schematically illustrates, in terms of a number of functional units, the components of a wireless device 500 a according to an embodiment.
- Processing circuitry 510 is provided using any combination of one or more of a suitable central processing unit CPU, multiprocessor, microcontroller, digital signal processor DSP, etc., capable of executing software instructions stored in a computer program product 2010 c as in FIG. 20 , e.g. in the form of a storage medium 530 .
- the processing circuitry 510 may further be provided as at least one application specific integrated circuit ASIC, or field programmable gate array FPGA.
- the processing circuitry 510 is configured to cause the wireless device 500 a to perform a set of operations, or steps, as disclosed above.
- the storage medium 530 may store the set of operations
- the processing circuitry 510 may be configured to retrieve the set of operations from the storage medium 530 to cause the wireless device 500 a to perform the set of operations.
- the set of operations may be provided as a set of executable instructions.
- the processing circuitry 510 is thereby arranged to execute methods as herein disclosed.
- the storage medium 330 may also comprise persistent storage, which, for example, can be any single one or combination of magnetic memory, optical memory, solid state memory or even remotely mounted memory.
- the wireless device 500 a may further comprise a communications interface 520 for communications with other entities, nodes, functions, devices, and servers.
- the communications interface 520 may comprise one or more transmitters and receivers, comprising analogue and digital components.
- the processing circuitry 510 controls the general operation of the wireless device 500 a e.g. by sending data and control signals to the communications interface 520 and the storage medium 530 , by receiving data and reports from the communications interface 520 , and by retrieving data and instructions from the storage medium 530 .
- Other components, as well as the related functionality, of the wireless device 500 a are omitted in order not to obscure the concepts presented herein.
- FIG. 19 schematically illustrates, in terms of a number of functional modules, the components of a wireless device 500 a according to an embodiment.
- the wireless device 500 a of FIG. 19 comprises a handle module 510 a configured to perform step S 402 .
- the wireless device 500 a of FIG. 19 comprises a handle module 510 a configured to perform step S 402 .
- the wireless device 500 a of FIG. 19 comprises a handle module 510 a configured to perform step S 402 .
- 19 may further comprise a number of optional functional modules, such as any of an obtain module 510 b configured to perform step S 402 a , a send module 510 c configured to perform step S 402 aa , a receive module 510 d configured to perform step S 402 ab , a receive module 510 e configured to perform step S 402 b , a sign module 510 f configured to perform step S 402 c , and a provide module 510 g configured to perform step S 402 d.
- optional functional modules such as any of an obtain module 510 b configured to perform step S 402 a , a send module 510 c configured to perform step S 402 aa , a receive module 510 d configured to perform step S 402 ab , a receive module 510 e configured to perform step S 402 b , a sign module 510 f configured to perform step S 402 c , and a provide module 510 g configured to perform step S 402 d.
- each functional module 510 a - 510 g may be implemented in hardware or in software.
- one or more or all functional modules 510 a - 510 g may be implemented by the processing circuitry 510 , possibly in cooperation with the communications interface 520 and the storage medium 530 .
- the processing circuitry 510 may thus be arranged to from the storage medium 530 fetch instructions as provided by a functional module 510 a - 510 g and to execute these instructions, thereby performing any steps of the wireless device 500 a as disclosed herein.
- FIG. 20 shows one example of a computer program product 2010 a , 2010 b , 2010 c comprising computer readable means 2030 .
- a computer program 2020 a can be stored, which computer program 2020 a can cause the processing circuitry 210 and thereto operatively coupled entities and devices, such as the communications interface 220 and the storage medium 230 , to execute methods according to embodiments described herein.
- the computer program 2020 a and/or computer program product 2010 a may thus provide means for performing any steps of the MNO entity 200 as herein disclosed.
- a computer program 2020 b can be stored, which computer program 2020 b can cause the processing circuitry 310 and thereto operatively coupled entities and devices, such as the communications interface 320 and the storage medium 330 , to execute methods according to embodiments described herein.
- the computer program 2020 b and/or computer program product 2010 b may thus provide means for performing any steps of the profile provisioning server 300 as herein disclosed.
- a computer program 2020 c can be stored, which computer program 2020 c can cause the processing circuitry 410 and thereto operatively coupled entities and devices, such as the communications interface 420 and the storage medium 430 , to execute methods according to embodiments described herein.
- the computer program 2020 c and/or computer program product 2010 c may thus provide means for performing any steps of the profile management entity 400 as herein disclosed.
- a computer program 2020 d can be stored, which computer program 2020 d can cause the processing circuitry 510 and thereto operatively coupled entities and devices, such as the communications interface 520 and the storage medium 530 , to execute methods according to embodiments described herein.
- the computer program 2020 c and/or computer program product 2010 c may thus provide means for performing any steps of the wireless device 500 a as herein disclosed.
- the computer program product 2010 a , 2010 b , 2010 c is illustrated as an optical disc, such as a CD (compact disc) or a DVD (digital versatile disc) or a Blu-Ray disc.
- the computer program product 2010 a , 2010 b , 2010 c could also be embodied as a memory, such as a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM), or an electrically erasable programmable read-only memory (EEPROM) and more particularly as a non-volatile storage medium of a device in an external memory such as a USB (Universal Serial Bus) memory or a Flash memory, such as a compact Flash memory.
- RAM random access memory
- ROM read-only memory
- EPROM erasable programmable read-only memory
- EEPROM electrically erasable programmable read-only memory
- the computer program 2020 a , 2020 b , 2020 c is here schematically shown as a track on the depicted optical disk, the computer program 2020 a , 2020 b , 2020 c can be stored in any way which is suitable for the computer program product 2010 a , 2010 b , 2010 c.
Abstract
Description
Claims (21)
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/EP2018/072354 WO2020035150A1 (en) | 2018-08-17 | 2018-08-17 | Handling of subscription profiles for a set of wireless devices |
Publications (2)
Publication Number | Publication Date |
---|---|
US20210385635A1 US20210385635A1 (en) | 2021-12-09 |
US11523261B2 true US11523261B2 (en) | 2022-12-06 |
Family
ID=63254733
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US17/267,552 Active US11523261B2 (en) | 2018-08-17 | 2018-08-17 | Handling of subscription profiles for a set of wireless devices |
Country Status (3)
Country | Link |
---|---|
US (1) | US11523261B2 (en) |
EP (1) | EP3837868A1 (en) |
WO (1) | WO2020035150A1 (en) |
Families Citing this family (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR102600813B1 (en) * | 2018-06-07 | 2023-11-10 | 삼성전자 주식회사 | Apparatus and method for installing and managing a profile by using messaging service |
KR102637120B1 (en) * | 2019-02-15 | 2024-02-15 | 삼성전자주식회사 | APPARATUS AND METHOD FOR MANAGING AUTHORIZATION OF INSTALLING AN eUICC PROFILE |
WO2022100858A1 (en) * | 2020-11-13 | 2022-05-19 | Telefonaktiebolaget Lm Ericsson (Publ) | Download of a subscription profile to a communication device |
EP4264980A1 (en) * | 2020-12-17 | 2023-10-25 | Telefonaktiebolaget LM Ericsson (publ) | Download handling of a pool of subscription profiles |
EP4278632A1 (en) * | 2021-04-14 | 2023-11-22 | Samsung Electronics Co., Ltd. | Method and apparatus for managing events in a wireless communication system |
US11516676B1 (en) * | 2021-07-14 | 2022-11-29 | Sprint Communications Company Lp | Secure provisioning of electronic subscriber identity module (eSIM) profiles |
CN113784336B (en) * | 2021-09-17 | 2024-04-09 | 捷开通讯(深圳)有限公司 | Code number downloading method, system, terminal equipment and computer readable storage medium |
WO2023169683A1 (en) * | 2022-03-10 | 2023-09-14 | Telefonaktiebolaget Lm Ericsson (Publ) | Subscription profile download and installation |
WO2023169682A1 (en) * | 2022-03-10 | 2023-09-14 | Telefonaktiebolaget Lm Ericsson (Publ) | Download of a subscription profile to a communication device |
EP4284040A1 (en) * | 2022-05-25 | 2023-11-29 | Giesecke+Devrient ePayments GmbH | Provision of a profile package on a profile server for download to an euicc |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110122774A1 (en) * | 2009-11-25 | 2011-05-26 | T-Mobile Usa, Inc. | Time or Condition-Based Reestablishment of a Secure Connection |
US20140004827A1 (en) * | 2012-06-27 | 2014-01-02 | Rogers Communications Inc. | System and method for remote provisioning of embedded universal integrated circuit cards |
US20170041284A1 (en) | 2015-08-03 | 2017-02-09 | Verizon Patent And Licensing Inc. | Providing a service to a user device based on a capability of the user device when the user device shares an identifier |
US20170149827A1 (en) * | 2015-11-23 | 2017-05-25 | Blackberry Limited | Method and system for implementing usage restrictions on profiles downloaded to an mobile device |
WO2019137630A1 (en) | 2018-01-15 | 2019-07-18 | Telefonaktiebolaget Lm Ericsson (Publ) | Profile handling of a communications device |
US20190253884A1 (en) * | 2016-10-20 | 2019-08-15 | Huawei Technologies Co., Ltd. | Method and Apparatus for Managing Embedded Universal Integrated Circuit Card EUICC |
US20200045544A1 (en) * | 2017-03-31 | 2020-02-06 | Huawei Technologies Co., Ltd. | Method for adding authentication algorithm program, and relevant device and system |
-
2018
- 2018-08-17 EP EP18756237.6A patent/EP3837868A1/en active Pending
- 2018-08-17 US US17/267,552 patent/US11523261B2/en active Active
- 2018-08-17 WO PCT/EP2018/072354 patent/WO2020035150A1/en unknown
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110122774A1 (en) * | 2009-11-25 | 2011-05-26 | T-Mobile Usa, Inc. | Time or Condition-Based Reestablishment of a Secure Connection |
US20140004827A1 (en) * | 2012-06-27 | 2014-01-02 | Rogers Communications Inc. | System and method for remote provisioning of embedded universal integrated circuit cards |
US20170041284A1 (en) | 2015-08-03 | 2017-02-09 | Verizon Patent And Licensing Inc. | Providing a service to a user device based on a capability of the user device when the user device shares an identifier |
US20170149827A1 (en) * | 2015-11-23 | 2017-05-25 | Blackberry Limited | Method and system for implementing usage restrictions on profiles downloaded to an mobile device |
US20190253884A1 (en) * | 2016-10-20 | 2019-08-15 | Huawei Technologies Co., Ltd. | Method and Apparatus for Managing Embedded Universal Integrated Circuit Card EUICC |
US20200045544A1 (en) * | 2017-03-31 | 2020-02-06 | Huawei Technologies Co., Ltd. | Method for adding authentication algorithm program, and relevant device and system |
WO2019137630A1 (en) | 2018-01-15 | 2019-07-18 | Telefonaktiebolaget Lm Ericsson (Publ) | Profile handling of a communications device |
Non-Patent Citations (6)
Title |
---|
Aboba, B. et al.; "RFC 3748—Extensible Authentication Protocol (EAP)"; Network Working Group; The Internet Society, Jun. 2004; 67 pages. |
Arkko, J. et al.; "RFC 5448—Improved Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA')"; Network Working Group; The Internet Society, May 2009; 29 pages. |
Groupe Speciale Mobile Association (GSMA); "eSIM"; Mar. 2018; 25 pages. |
Groupe Speciale Mobile Association (GSMA); "Remote SIM Provisioning for Machine to Machine _ Internet of Things" 2018; 5 pages. |
Groupe Speciale Mobile Association (GSMA); "SGP.22-RSP Technical Specification v2.2"; Sep. 1, 2017; 264 pages. |
International Search Report and Written Opinion of the International Searching Authority for PCT International Application No. PCT/EP2018/072354 dated Apr. 12, 2019. |
Also Published As
Publication number | Publication date |
---|---|
US20210385635A1 (en) | 2021-12-09 |
EP3837868A1 (en) | 2021-06-23 |
WO2020035150A1 (en) | 2020-02-20 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11523261B2 (en) | Handling of subscription profiles for a set of wireless devices | |
US11595813B2 (en) | Profile handling of a communications device | |
US10244074B2 (en) | Method and apparatus for receiving profile by terminal in mobile communication system | |
KR102381377B1 (en) | Method and apparatus for providing a profile remotely in a communication system | |
US11863663B2 (en) | Initial network authorization for a communications device | |
KR102450358B1 (en) | Method and apparatus for downloading profile in wireless communication system | |
US11496883B2 (en) | Apparatus and method for access control on eSIM | |
CN111263334A (en) | Configuring an electronic subscriber identity module for a mobile wireless device | |
US10826945B1 (en) | Apparatuses, methods and systems of network connectivity management for secure access | |
US11838752B2 (en) | Method and apparatus for managing a profile of a terminal in a wireless communication system | |
US11871227B2 (en) | Device changing method and apparatus of wireless communication system | |
US11832348B2 (en) | Data downloading method, data management method, and terminal | |
CN110268730B (en) | Techniques for managing subscriptions with operators | |
US20230209340A1 (en) | Method and apparatus for transferring network access information between terminals in mobile communication system | |
US20230300596A1 (en) | Remote subscription profile download | |
US20160165423A1 (en) | Application specific congestion control management | |
US20240031805A1 (en) | Download of a subscription profile to a communication device | |
US20230010440A1 (en) | System and Method for Performing Identity Management | |
WO2023169682A1 (en) | Download of a subscription profile to a communication device | |
WO2023134844A1 (en) | Establishment of network connection for a communication device | |
WO2023169683A1 (en) | Subscription profile download and installation | |
KR20240042059A (en) | Delegated eUICC Profile Management |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: OY LM ERICSSON AB, FINLAND Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:AHMED, ABU SHOHEL;MEINANDER, MIA;REEL/FRAME:055213/0412 Effective date: 20180917 Owner name: TELEFONAKTIEBOLAGET LM ERICSSON (PUBL), SWEDEN Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:JOHANSSON, PETRI MIKAEL;STAHL, PER;REEL/FRAME:055213/0273 Effective date: 20180912 |
|
FEPP | Fee payment procedure |
Free format text: ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
AS | Assignment |
Owner name: TELEFONAKTIEBOLAGET LM ERICSSON (PUBL), SWEDEN Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:OY LM ERICSSON AB;REEL/FRAME:055318/0720 Effective date: 20181001 |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT VERIFIED |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |